Bugs in transportation app Moovit gave hackers free ridesHackers could have hijacked the user accounts of a popular transportation app and used them to get free rides and access people’s personal information, according to a security researcher.
Omer Attias, a security researcher at SafeBreach, said he found three vulnerabilities in the Moovit app, which allowed him to collect new Moovit user’s registration information from all over the world — including cell phone numbers, email addresses, home addresses, and the last four digits of credit cards. Worst of all, the bugs could have allowed him to take over other people’s accounts, and consequently their credit cards, to pay for his own rides.
This whole chain of exploits could have been performed without the target ever finding out, apart from seeing unwanted charges on their credit card. Attias called it “the perfect attack.”
“We can fully impersonate accounts, without disconnecting them. It’s crazy, we actually have the ability to perform all the operations on behalf of different accounts, including ordering train tickets,” Attias told TechCrunch in an interview ahead of his talk at the Def Con hacking conference in Las Vegas. “And additionally, we can access all of their personal information.”
To demonstrate the impact of the bugs he found, Attias created a custom interface that allowed him to take over other people’s accounts with a couple of taps. And while Attias said he tested his exploits only in Israel, he said he thinks it could have worked in other cities given that Moovit operates all over the world.
Moovit is an Israeli startup that was acquired by Intel in 2020 for $900 million. The app allows users to find routes and view public transportation systems’ maps, as well as to purchase and use tickets. The app and its underlying technology are widely used worldwide: Moovit claims to serve 1.7 billion riders in 3,500 cities across 112 countries.
While the impact of these vulnerabilities was potentially massive, Moovit said there is no evidence that malicious hackers found and exploited these bugs. Attias said that he reported all the bugs he found to the company in September 2022, and the company subsequently fixed them.
“Moovit was aware of and rectifying the issue when it was reported, and took immediate steps to finish correcting the issue,” Moovit spokesperson Sharon Kaslassi told TechCrunch. “The vulnerabilities have long since been fixed and no customer action is required. It’s important to note that no bad actors took advantage of these issues to access customer data. Additionally, no credit card information was exposed as Moovit and Moovit-Pango do not keep credit card information on file.”
Kaslassi also said that “ticketing service relevant to these findings is active in Israel only.”
“According to our records, neither Safebreach or anyone else took advantage of any customer data in or outside of Israel,” the spokesperson added.
In response to Moovit’s comments, Attias said that he and his colleagues “believe we could have charged any customer not limited to Israeli customers. We haven’t seen any differentiator between Israeli and non Israeli customers in their API requests.”
Read more from Black Hat:

How the FBI goes after DDoS cyberattackers
Researchers watched 100 hours of hackers hacking honeypot computers
Researchers jailbreak a Tesla to get free in-car feature upgrades

Bitcoin’s sideways price action leads traders to focus on SHIB, UNI, MKR and XDCSHIB, UNI, MKR and XDC show signs of strength even as Bitcoin price remains stuck inside a narrow range.

Wide Blue Sound Audio Plugin Uninstaller Audio Plugin Uninstaller is the easiest way to manage your audio plugins on your Mac. Unplug and play. Audio plugins install files all over your computer, and each developer... Read More

JD Factory PanBox Panbox is your must-have audio plugin for achieving natural and realistic panning in your music productions. With a wide range of advanced algorithms, you can easily fine-tune... Read More

GameSoundCon 2023 registration now open The world’s largest professional conference for video game music and sound design will be held at Burbank Convention Center in Burbank, California on 17 - 18 October 2023.

NatLife Sounds KRK For Roland JP-08 We glad to present you a new soundbank for Roland JP-08 – KRK. It is a continue Trance line of the first sounndbank for JP-08 but with a special taste of Adriatic Island –... Read More

Researchers jailbreak a Tesla, the FCC fines robocallers and WeWork finds itself in trouble (again)Welcome, friends, to TechCrunch’s Week in Review (WiR), the newsletter where we recap the week that was in tech. For those new to WiR, think of it as a digest of stories and pieces that topped the charts over the past five days or so.
In this week’s edition of WiR, we cover researchers figuring out a way to “jailbreak” Teslas, the AI.com domain name switching hands and the FCC fining robocallers. Also featured are stories about WeWork’s perennial struggles, Google’s Messages app fully embracing RCS, and spyware maker LetMeSpy shutting down after a massive data breach.
If you haven’t already, sign up here to get WiR in your inbox every Saturday. Now, on with the recap.

Most read

Jailbreak your Tesla: A group of researchers say that they’ve found a way to hack the hardware underpinning Tesla’s infotainment system, allowing them to get what normally would be paid upgrades — such as heated rear seats — for free. Lorenzo has the story.
AI.com switches hands: A few months back, OpenAI seemingly purchased the domain AI.com in order to redirect it to the web app for its AI-powered chatbot, ChatGPT. But now AI.com redirects to X.ai, Elon Musk’s machine learning research outfit — suggesting that the CEO of X (formerly known as Twitter) has come into possession of the domain.
FCC fines robocallers: The FCC has fined a robocaller a record $300 million after blocking billions of their scam calls. But as Devin writes, whether and when the money will be paid is, as always, something of an open question.
WeWork in trouble . . . again: WeWork this week announced a net loss of $397 million for the second quarter on revenue of $877 million. The 13-year-old flexible space provider — which faces both increased competition and declining post-pandemic demand — didn’t mince words, admitting that “substantial doubt exists about [its] ability to continue.”
Google Messages embraces RCS: Google said this week that it’s making its Messages by Google app more secure with improvements to RCS, or Rich Communication Services — a protocol aimed at replacing SMS. The company says it’ll now make RCS the default for both new and existing Messages app users, and end-to-end encryption for group chats is now fully rolled out to all RCS users.
Google launches Project IDX: In more Google news, the tech giant this week launched Project IDX, an AI-enabled, browser-based development environment for building full-stack web and multiplatform apps.
ChatGPT custom instructions expand: OpenAI this week announced that it’s expanding custom instructions — a way to give users more control over how ChatGPT responds — to all users, including those on the free tier of the service. The feature, which was first unveiled in July as a beta for ChatGPT Plus subscribers, allows users to add various preferences and requirements that they want the AI chatbot to consider when responding.
Spyware maker shuts down: Poland-based spyware LetMeSpy is no longer operational and said it will shut down after a June data breach wiped out its servers, including its huge trove of data stolen from thousands of victims’ phones.
Audio
This reporter would venture to say that TechCrunch’s roster of podcasts has something for every interest. This week, as every week, there’s intriguing new material for your listening enjoyment.
On Equity, the crew talked about a lawsuit targeting a grant program providing small checks to Black women small-business owners and how some countries are taking a different track, including the U.K.
Meanwhile, this week’s episode of Found focused on Anurupa Ganguly, the founder and CEO at Prisms, a startup designing VR math curriculum for middle and high school students. Ganguly talked about how her time as a teacher in the Boston and New York City public school systems provided early inspiration for the company, and what it’s been like selling to schools, as well as her take on company culture in relation to remote and hybrid work.
And Chain Reaction hosted Robbie Ferguson, the co-founder and president of Immutable. Immutable is a web3 company consisting of two entities: Immutable Platform, a developer platform for building and scaling Ethereum-based web3 games, and Immutable Games, a web3 game developer and publisher.
TechCrunch+
TC+ subscribers get access to in-depth commentary, analysis and surveys — which you know if you’re already a subscriber. If you’re not, consider signing up. Here are a few highlights from this week:
Room-temp superconductor? Not so fast: The internet — and more than a few scientists — got their hopes up a couple weeks ago when a team of physicists from South Korea announced that they had created a room-temperature superconductor from a slew of common yet unlikely materials. But, as Tim writes, it’s probably, disappointingly bunk.
Taking another look at venture debt: Silicon Valley Bank’s nosedive has soured many on venture debt, and for early-stage companies, it bears being cautious. As an option for growth-stage companies with more predictable cash flow, however, things may be a little different. Haje investigates.
Taking a page from mobile gaming: Retaining mobile app subscribers is harder than it was last year, but paywall optimization and gamified UX can help. Anna explores the ins and outs of the turbulent market, and how apps are following examples from mobile gaming.

Get your TechCrunch fix IRL. Join us at Disrupt 2023 in San Francisco this September to immerse yourself in all things startup. From headline interviews to intimate roundtables to a jam-packed startup expo floor, there’s something for everyone at Disrupt. Save up to $400 when you buy your pass now through September 18, and save 15% on top of that with promo code WIR. Learn more.

SBF ordered to jail, Bitcoin ETF delayed and SEC to appeal Ripple case: Hodler’s Digest, Aug. 6-12Sam Bankman-Fried has bail revoked, ordered to jail; the SEC delays decision on a spot Bitcoin ETF; and the SEC moves to appeal on Ripple’s case.

Getting It Done: The week in D.I.Y. and Indie musicLast week, our tips and advice for the independent, do-it-yourselfers out there covered how to find more time for your music, how much musicians can make on TikTok, and more…. Continue reading
The post Getting It Done: The week in D.I.Y. and Indie music appeared first on Hypebot.

REWIND: The new music industry’s week in reviewA busy week by any definition, the music industry was no exception, with Threads’ engagement already declining, South Asian music taking on the globe, scalpers funding consumer groups, and more…. Continue reading
The post REWIND: The new music industry’s week in review appeared first on Hypebot.

Bogren Digital release MLC Subzero 100 MLC Subzero 100 models the hand-built guitar amp of the same name from Mark L Custom Guitar Electronics, a model renowned for its rich, detailed tone.

Touch The Universe Productions Starlit Eternity for Omnisphere The Starlit Eternity Library contains 179 high quality presets and nearly 50MB of unique content for the beautiful Omnisphere 2 synthesizer from Spectrasonics and is suitable for any contemporary... Read More

Celebrating the 50th anniversary of hip hop
From MPCs and vinyl shopping to FL grids and sample chopping, today we celebrate the sounds, styles, and creators of hip hop.